Windows 10’s Antimalware Scan Interface (AMSI) module can be easily bypassed. See how hackers do it, and what we can learn from their tactics.
Malware developers are forever looking for ways to evade detection by their targets’ defenses. One way is to beat the scanners—using obfuscation, encryption, steganography, and other techniques to make it harder for security software to figure out what the intent of a payload is.
Another way is to completely avoid having malware scanned in the first place. This is what attackers are trying to do with Microsoft’s Antimalware Scan Interface (AMSI). The interface allows applications and services, including those belonging to third parties, to detect suspicious code that attackers try to load into the memory of a hacked computer.
If the AMSI antimalware service provider (by default being Windows Defender) detects a known malicious signature, the script is blocked. Recent research by experts from Sophos has detailed some tools and techniques adversaries used by cybercriminals to bypass AMSI.
Four ways to beat AMSI
Hackers have been found to deploy the following tactics and techniques to bypass malware scanning:
- Flipping a flag: A single line of PowerShell code can flip an attribute for PowerShell’s AMSI integration—amsiInitFailed—to “true”. This causes the PowerShell process to stop requesting scans. With that achieved, a malicious PowerShell script can (in theory) execute whatever badness it is intended to do without triggering a scan by antimalware software.
- In-memory patching: More than 98% of the bypass attempts Sophos researchers investigated involve tampering with the code of the AMSI library that is already loaded into memory in order to make scan requests fail. Attackers have integrated this technique into the commercial offensive security platform Cobalt Strike, and researchers have seen it in a number of malware families, including in a downloader for the Agent Tesla remote access tool (RAT) and the WannaMine cryptocurrency-mining worm
- Via a fake DLL: Another method of bypassing AMSI is to fool PowerShell into loading a fake version of the AMSI Dynamic Link Library: amsi.dll. However, Microsoft has since made changes to PowerShell’s code that cause it to crash if the proper interfaces are not available in amsi.dll. Attacker attempts to use this bypass are very rare.
- Staying away from AMSI entirely: Adversaries have tried to evade AMSI by, among other things, installing or using existing older versions of PowerShell or other script engines that lack AMSI integration.
In many of the cases where AMSI evasion was identified, the point of entry for the attack was an unprotected desktop or server, which allowed the malware to establish a foothold and attempt to move across the network. In others, unpatched vulnerabilities—such as the ProxyLogon vulnerability identified in Exchange Server in March—were at the root of the compromise.
Sophos researchers recommend that add multiple layers of protection and consistently deploy them across the network—including on servers, which often lack endpoint protection. Said senior threat research Sean Gallagher: “AMSI remains a target for malware developers trying to evade security scans largely because of the success of Windows 10 and the Windows Server platforms that feature AMSI. The concern for defenders is that malicious actors are continuously reworking their techniques to adapt to changes in the Windows platform to evade signature-based detections. Adding behavior-based detection and protecting AMSI’s in-memory code from alteration can help diffuse the threat posed by malware equipped with AMSI evasion, regardless of what the code looks like.”